About Google Santa

13 December 2014

Santa is a white- and blacklisting daemon for OSX used by Google internally and maintained by the Google Macintosh Operations Team. And gladly they have opensourced the code on Github. In the future there are plans to allow Santa to synchronise rules from a managent server, but this is a work in progress.

Shameless copy from the Github page:
Santa is a binary whitelisting/blacklisting system for Mac OS X. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.

Installation:

Download the release at Github. And install by executing the following commands.

Configuration

The file /var/db/santa/config.plist contains the configuration. For a complete list of configuration keys you can take a look at Configuration-Keys. By default Santa wil be started in Monitor mode (Clientmode is set to 1). If you change Clientmode to 2 Santa will run in Lockdown mode and will deny every binary without an allow rule.

Logging

Every application you'll open will be checked by Santa first. You can verify this by tailing /var/log/santa.log.